GDPR and the NHS: are we ready for new data laws?

GDPR in 2018

On 25th May, GDPR will become an enforceable law in any business or institution. It’s the single biggest data protection overhaul in 20 years, and it’s the issue everyone is talking about (despite a huge percentage of us not entirely understanding what it is).

But if we need a reminder of how important these new data laws are, we need to simply look back to last year’s landmark cyber-attacks.

When data breaches hit the mainstream

In May 2017, ransomware known as ‘WannaCry’ hit 300,000 computers across the world – and the NHS was particularly badly hit. Trusts throughout the UK were compromised, and some hospitals and surgeries famously had to revert to using pen and paper, with systems and data compromised.

The cyber-attack was a shock to the nation, but not to those who understand cyber security. In fact, with legacy systems, security inconsistencies across the country and a lack of proactive training, the NHS was a prime target.

Last year’s cyber-attacks were a perfect illustration not only of how easily the NHS could be breached, but how serious the consequences could be. When data security is compromised, so, potentially, is patient safety.

What is GDPR?

General Data Protection Regulation (GDPR) is EU-wide legislation that aims to ensure better data protection for individuals. It replaces outdated UK laws from 1998, and holds organisations to higher data standards.

It was introduced in 2016, giving organisations two years to prepare for when it comes into force. But recent research suggests the NHS is underprepared.

Think tank Parliament Street discovered that trusts have spent around £1 million to prepare for GDPR. Despite around 40% of trusts not responding to their survey, they were able to conclude that this sum was almost certainly insufficient. Furthermore, they’ve cited research from the Digital Health Alliance that shows only 55% of acute trusts have an implementation plan in place.

The NHS is adamant that it’s ready, but question marks remain. And it’s vital that GDPR gets the attention it warrants, given that cyber-attacks like last year’s could actually become more common after GDPR comes into force.

Why the cyber threat could increase after GDPR

In October 2016 Uber was hacked, compromising the data of 57 million drivers and passengers. But in this particular attack, the ‘ransom’ took a new direction.

Typically, hackers blackmail organisations by accepting money in return for removing their ransomware. But on this occasion, the hackers were paid to keep the data breach a secret. The hackers knew about the growing significance of data protection laws, and used that knowledge to their advantage.

It’s widely believed by cyber security experts that when GDPR becomes the norm, blackmails like this will become more prevalent. And frankly, who better to attack than the NHS? With legacy systems, outdated digital practices and perhaps the biggest amount of personal data in the entire country, our health system is low-hanging fruit.

At Clarity, we’ve seen first-hand how our technological innovation has a real, immediate and front-line impact on performance and security. And that’s because our rostering and bank software is built to adapt and update. Cyber threats are growing more sophisticated, and are coming from more angles. Your technology can’t stand still – and we can ensure it doesn’t. You can find out more about how our products work here.

What can be done to protect the NHS

The answer to this problem is as simple as it is complicated.

The NHS, as has been repeatedly suggested, has to invest in better, more consistent, more robust digital systems across the board. Quite simply, it has to go digital – and it has to catch up with the rest of the world.  But of course, that makes the problem sound easier to solve than it is. For an institution as old, large and complex as the NHS, a digital transformation is extremely hard.

Fundamentally, a change of mind-set is required – the NHS must think that GDPR, digital progress and cyber-security are major priorities. These issues are, after all, closely aligned with day-to-day operational pressures – that much was clear from the cyber-attacks last year. It took nothing more than the click of a button to put NHS patients at serious risk.


Irina Buzdugan